Secure platforms as a service allow you to focus on function

Even though larger cloud providers offer security and implementation guidelines, companies still face significant risks and challenges when deploying secure applications to the cloud. A new class of security-focused cloud platforms promises to bridge this gap, bringing best-practices and regulatory compliance with the convenience of platform as a service (PaaS).

Notable examples of this type of company include Datica, Healthcare Blocks and Aptible, all founded in 2013 and all container-based. These companies boast elite security and DevOps teams that work to secure their products and write new features.

Their services are available at low price points and provide a convenient security framework that allows their customers to focus their development efforts on function rather than security.

For example, startups with limited resources can use these platforms to become more capable to demonstrate their unique value to customers. Small hospitals that cannot afford in-house information security or development teams have a far better chance of success using the standard features of these services and the support of season IT professionals that comes with them. Large enterprises and government organizations could benefit from the modern DevOps tooling such as continuous integration and containers built into the products to increase business agility.

Datica, Healthcare Blocks and Aptible, have already served a wide range of customers, including large government organizations, medical practices, hospitals and health/financial tech startups:

The U.S. Department of Veterans Affairs partnered with Datica to deploy new tools more quickly and gain new insights to patient behavior.

The Greater Colorado Anesthesia medical practice used Healthcare Blocks to migrate several on-premises clinical applications to the cloud.

VPN tunnel support for secure integrations to partners and on-premise installations

Load-balancing across multiple application instances

Host-level isolation

SSL termination

Compliant handling of application logs

At-rest database encryption with automated backups

Intrusion detection systems (IDS) integrations, available or built-in

Operating system hardening

Disaster recovery

Emergency 24/7 support

Customer experience

Modern deployment infrastructures are notoriously complex, consisting of hundreds of services that must all be maintained, updated, reconfigured and patched. This is an especially important activity in secure environments, as neglect of their upkeep often results in critical security vulnerabilities. These new platforms promise to simplify management and vastly reduce such risks by providing secure deployment defaults and aggressively refining their technology and policies across all customers.

For example, when the POODLE, Shellshock and Heartbleed vulnerabilities hit, customers using secure PaaS had to do little more than await updates from their vendors, which came within just hours. This was made possible by the underlying container technologies and managed components such as load balancers, reverse proxies and data stores. The reduction in DevOps responsibilities allow teams to move forward on application development instead of dropping everything to put out new fires.

The platforms typically include access management schemes and policy controls for a customer's organization. These settings allow administrators to dictate "who can see or change what," and are important for audits, risk assessments and compliance. Customers are given tools and documentation made to be helpful in passing security checks by regulators and prospective clients.

However, blind trust in these platforms is not advised, as data security is a very delicate matter. For example, few if any protections are provided at the application layer. A page containing sensitive data without password protection would still constitute a data breach, even on these services. As always, understanding the gamut of what these systems do or don't provide is essential to using them effectively. Security through transparency is an industry best practice, and many of these vendors readily provide their security architectures on their websites for review.

These companies offer several different plans, ranging from monthly billing based on resource usage to bespoke enterprise contracts for complex requirements. The industry is new enough that standardization is still actively emerging, and the companies will often offer consulting services to onboard new customers. In fact, the platforms mentioned above are all members of the AWS Partner Network.

While self-serve options are offered for standard application configurations, secure PaaS vendors will readily take meetings to discuss the intricacies of securely deploying their services for new customers. The customer's development teams can then explore the product offerings via inexpensive trials, having their questions and concerns further addressed by the vendor's technical support staff.

These technologies have great potential to lower the barrier to entry for tech companies in regulated environments such as healthcare and fintech, allowing more progress with far fewer resources. Likewise, they could grant enterprises an edge to their internal teams, unlocking the sort of innovation and problem-solving that is enabled with autonomy and lean thinking.

Copyright 2017 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.